<!DOCTYPE html><html class=split lang=en-US-x-hixie><script src=../link-fixup.js defer=""></script>
<!-- Mirrored from html.spec.whatwg.org/dev/browsers.html by HTTrack Website Copier/3.x [XR&CO'2014], Wed, 10 Sep 2025 08:36:28 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=utf-8" /><!-- /Added by HTTrack -->
<meta charset=utf-8><meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name=viewport><title>HTML Standard, Edition for Web Developers</title><meta content=#3c790a name=theme-color><meta content="light dark" name=color-scheme><link rel=stylesheet href=../../resources.whatwg.org/standard-shared-with-dev.css crossorigin=""><link rel=icon href=https://resources.whatwg.org/logo.svg crossorigin=""><link rel=stylesheet href=styles.css crossorigin=""><script>
   function toggleStatus(div) {
     div.parentNode.classList.toggle('wrapped');
   }
   function setLinkFragment(link) {
     link.hash = location.hash;
   }
  </script><body>
  <script async="" src=search.js></script>
  
  
  <header id=head class="head with-buttons">
   <a href=https://whatwg.org/ class=logo><img width=100 alt=WHATWG crossorigin="" class=darkmode-aware src=https://resources.whatwg.org/logo.svg height=100></a>
   
   <hgroup><h1><a rel=home href=index.html>HTML: The Living Standard</a></h1><p id=dev-edition-h2>Edition for Web Developers — Last Updated <span class=pubdate>10 September 2025</span></hgroup>
   

   <div id=search>
    <input placeholder="Search. Press '/'" autocomplete=off name=query id=query type=search>
    <ol id=results></ol>
   </div>
  </header>

  

  

  

  
  

  
  

  

  <nav><a href=popover.html>← 6.12 The popover attribute</a> — <a href=index.html>Table of Contents</a> — <a href=nav-history-apis.html>7.2 APIs related to navigation and
  session history →</a></nav><ol class=toc><li><a href=browsers.html#browsers><span class=secno>7</span> Loading web pages</a><ol><li><a href=browsers.html#loading-web-pages-supporting-concepts><span class=secno>7.1</span> Supporting concepts</a><ol><li><a href=browsers.html#origin><span class=secno>7.1.1</span> Origins</a><ol><li><a href=browsers.html#sites><span class=secno>7.1.1.1</span> Sites</a><li><a href=browsers.html#relaxing-the-same-origin-restriction><span class=secno>7.1.1.2</span> Relaxing the same-origin restriction</a></ol><li><a href=browsers.html#origin-keyed-agent-clusters><span class=secno>7.1.2</span> Origin-keyed agent clusters</a><li><a href=browsers.html#cross-origin-opener-policies><span class=secno>7.1.3</span> Cross-origin opener policies</a><ol><li><a href=browsers.html#the-coop-headers><span class=secno>7.1.3.1</span> The headers</a></ol><li><a href=browsers.html#coep><span class=secno>7.1.4</span> Cross-origin embedder policies</a><ol><li><a href=browsers.html#the-coep-headers><span class=secno>7.1.4.1</span> The headers</a></ol><li><a href=browsers.html#sandboxing><span class=secno>7.1.5</span> Sandboxing</a></ol></ol></ol><h2 id=browsers><span class=secno>7</span> Loading web pages<a href=#browsers class=self-link></a></h2>

  

  <h3 id=loading-web-pages-supporting-concepts><span class=secno>7.1</span> Supporting concepts<a href=#loading-web-pages-supporting-concepts class=self-link></a></h3>

  <h4 id=origin><span class=secno>7.1.1</span> Origins<a href=#origin class=self-link></a></h4>
  

  <p>Origins are the fundamental currency of the web's security model. Two actors in the web
  platform that share an origin are assumed to trust each other and to have the same authority.
  Actors with differing origins are considered potentially hostile versus each other, and are
  isolated from each other to varying degrees.</p>

  <p class=example>For example, if Example Bank's web site, hosted at <code>bank.example.com</code>, tries to examine the DOM of Example Charity's web site, hosted
  at <code>charity.example.org</code>, a <a id=origin:securityerror href=https://webidl.spec.whatwg.org/#securityerror data-x-internal=securityerror>"<code>SecurityError</code>"</a>
  <code id=origin:domexception><a data-x-internal=domexception href=https://webidl.spec.whatwg.org/#dfn-DOMException>DOMException</a></code> will be raised.</p>

  <hr>

  <p id=origin-2>An <dfn id=concept-origin data-export="">origin</dfn> is one of the following:</p>

  <dl><dt>An <dfn id=concept-origin-opaque data-export="">opaque origin</dfn><dd><p>An internal value, with no serialization it can be recreated from (it is serialized as
   "<code>null</code>" per <span>serialization of an origin</span>), for which the only
   meaningful operation is testing for equality.<dt>A <dfn id=concept-origin-tuple data-export="">tuple origin</dfn><dd>
    <p>A <a id=origin:tuple href=https://infra.spec.whatwg.org/#tuple data-x-internal=tuple>tuple</a> consisting of:

    <ul class=brief><li>A <dfn data-dfn-for=origin id=concept-origin-scheme data-export="">scheme</dfn> (an <a id=origin:ascii-string href=https://infra.spec.whatwg.org/#ascii-string data-x-internal=ascii-string>ASCII
     string</a>).<li>A <dfn data-dfn-for=origin id=concept-origin-host data-export="">host</dfn> (a <a href=https://url.spec.whatwg.org/#concept-host id=origin:concept-host data-x-internal=concept-host>host</a>).<li>A <dfn data-dfn-for=origin id=concept-origin-port data-export="">port</dfn> (null or a 16-bit
     unsigned integer).<li>A <dfn data-dfn-for=origin id=concept-origin-domain data-export="">domain</dfn> (null or a <a href=https://url.spec.whatwg.org/#concept-domain id=origin:concept-domain data-x-internal=concept-domain>domain</a>). Null unless stated otherwise.</ul>
   </dl>

  <p class=note><a href=#concept-origin id=origin:concept-origin>Origins</a> can be shared, e.g., among multiple
  <code>Document</code> objects. Furthermore, <a href=#concept-origin id=origin:concept-origin-2>origins</a> are generally
  immutable. Only the <a href=#concept-origin-domain id=origin:concept-origin-domain>domain</a> of a <a href=#concept-origin-tuple id=origin:concept-origin-tuple>tuple origin</a> can be changed, and only through the <code id=origin:dom-document-domain><a href=#dom-document-domain>document.domain</a></code> API.</p>

  

  <p class=example>The <span>serialization</span> of ("<code>https</code>", "<code>xn--maraa-rta.example</code>", null, null) is "<code>https://xn--maraa-rta.example</code>".</p>

  

  <div class=example>
   <p>The following table shows examples of when two <a href=#concept-origin-tuple id=origin:concept-origin-tuple-2>tuple
   origins</a> are <span id=same-origin>same origin</span> and <span id=same-origin-domain>same
   origin-domain</span>.</p>

   <table><tr><th><var>A</var>
     <th><var>B</var>
     <th><a href=#same-origin id=origin:same-origin>same origin</a>
     <th><a href=#same-origin-domain id=origin:same-origin-domain>same origin-domain</a>
    <tr><td>("<code>https</code>", "<code>example.org</code>", null, null)
     <td>("<code>https</code>", "<code>example.org</code>", null, null)
     <td>✅
     <td>✅
    <tr><td>("<code>https</code>", "<code>example.org</code>", 314, null)
     <td>("<code>https</code>", "<code>example.org</code>", 420, null)
     <td>❌
     <td>❌
    <tr><td>("<code>https</code>", "<code>example.org</code>", 314, "<code>example.org</code>")
     <td>("<code>https</code>", "<code>example.org</code>", 420, "<code>example.org</code>")
     <td>❌
     <td>✅
    <tr><td>("<code>https</code>", "<code>example.org</code>", null, null)
     <td>("<code>https</code>", "<code>example.org</code>", null, "<code>example.org</code>")
     <td>✅
     <td>❌
    <tr><td>("<code>https</code>", "<code>example.org</code>", null, "<code>example.org</code>")
     <td>("<code>http</code>", "<code>example.org</code>", null, "<code>example.org</code>")
     <td>❌
     <td>❌
   </table>
  </div>


  <h5 id=sites><span class=secno>7.1.1.1</span> Sites<a href=#sites class=self-link></a></h5>

  <p>A <dfn id=scheme-and-host>scheme-and-host</dfn> is a <a id=sites:tuple href=https://infra.spec.whatwg.org/#tuple data-x-internal=tuple>tuple</a> of a <dfn id=concept-scheme-and-host-scheme>scheme</dfn> (an <a id=sites:ascii-string href=https://infra.spec.whatwg.org/#ascii-string data-x-internal=ascii-string>ASCII string</a>) and a <dfn id=concept-scheme-and-host-host>host</dfn> (a <a href=https://url.spec.whatwg.org/#concept-host id=sites:concept-host data-x-internal=concept-host>host</a>).</p>

  <p>A <dfn id=site data-export="">site</dfn> is an <a href=#concept-origin-opaque id=sites:concept-origin-opaque>opaque origin</a> or a
  <a href=#scheme-and-host id=sites:scheme-and-host>scheme-and-host</a>.</p>

  

  <p class=note>Unlike the <a href=#same-origin id=sites:same-origin>same origin</a> and <a href=#same-origin-domain id=sites:same-origin-domain>same origin-domain</a> concepts,
  for <a href=#schemelessly-same-site id=sites:schemelessly-same-site>schemelessly same site</a> and <a href=#same-site id=sites:same-site>same site</a>, the <a href=#concept-origin-port id=sites:concept-origin-port>port</a> and <a href=#concept-origin-domain id=sites:concept-origin-domain>domain</a>
  components are ignored.</p>

  <p class=warning>For the reasons <a href=https://url.spec.whatwg.org/#warning-avoid-psl>explained in <cite>URL</cite></a>, the
  <a href=#same-site id=sites:same-site-2>same site</a> and <a href=#schemelessly-same-site id=sites:schemelessly-same-site-2>schemelessly same site</a> concepts should be avoided when
  possible, in favor of <a href=#same-origin id=sites:same-origin-2>same origin</a> checks.</p>

  <div id=example-same-site class=example><a href=#example-same-site class=self-link></a>
   <p>The following table shows examples of when two <a href=#concept-origin-tuple id=sites:concept-origin-tuple>tuple
   origins</a> are <span id=schemelessly-same-site>schemelessly same site</span> and <span id=same-site>same
   site</span>.</p>

  <p>Given that <code>wildlife.museum</code>, <code>museum</code>, and <code>com</code> are <a href=https://url.spec.whatwg.org/#host-public-suffix id=sites:public-suffix data-x-internal=public-suffix>public suffixes</a> and that <code>example.com</code> is not:</p>

   <table><tr><th><var>A</var>
     <th><var>B</var>
     <th><a href=#schemelessly-same-site id=sites:schemelessly-same-site-3>schemelessly same site</a>
     <th><a href=#same-site id=sites:same-site-3>same site</a>
    <tr><td>("<code>https</code>", "<code>example.com</code>")
     <td>("<code>https</code>", "<code>sub.example.com</code>")
     <td>✅
     <td>✅
    <tr><td>("<code>https</code>", "<code>example.com</code>")
     <td>("<code>https</code>", "<code>sub.other.example.com</code>")
     <td>✅
     <td>✅
    <tr><td>("<code>https</code>", "<code>example.com</code>")
     <td>("<code>http</code>", "<code>non-secure.example.com</code>")
     <td>✅
     <td>❌
    <tr><td>("<code>https</code>", "<code>r.wildlife.museum</code>")
     <td>("<code>https</code>", "<code>sub.r.wildlife.museum</code>")
     <td>✅
     <td>✅
    <tr><td>("<code>https</code>", "<code>r.wildlife.museum</code>")
     <td>("<code>https</code>", "<code>sub.other.r.wildlife.museum</code>")
     <td>✅
     <td>✅
    <tr><td>("<code>https</code>", "<code>r.wildlife.museum</code>")
     <td>("<code>https</code>", "<code>other.wildlife.museum</code>")
     <td>❌
     <td>❌
    <tr><td>("<code>https</code>", "<code>r.wildlife.museum</code>")
     <td>("<code>https</code>", "<code>wildlife.museum</code>")
     <td>❌
     <td>❌
    <tr><td>("<code>https</code>", "<code>wildlife.museum</code>")
     <td>("<code>https</code>", "<code>wildlife.museum</code>")
     <td>✅
     <td>✅
    <tr><td>("<code>https</code>", "<code>example.com</code>")
     <td>("<code>https</code>", "<code>example.com.</code>")
     <td>❌
     <td>❌
   </table>

   <p>(Here we have omitted the <a href=#concept-origin-port id=sites:concept-origin-port-2>port</a> and <a href=#concept-origin-domain id=sites:concept-origin-domain-2>domain</a> components since they are not considered.)</p>
  </div>


  <h5 id=relaxing-the-same-origin-restriction><span class=secno>7.1.1.2</span> Relaxing the same-origin restriction<a href=#relaxing-the-same-origin-restriction class=self-link></a></h5>

  <dl class=domintro><dt><code><var>document</var>.<span id=dom-document-domain>domain</span> [ = <var>domain</var> ]</code><dd>
    <p>Returns the current domain used for security checks.</p>

    <p>Can be set to a value that removes subdomains, to change the <a href=#concept-origin id=relaxing-the-same-origin-restriction:concept-origin>origin</a>'s <a href=#concept-origin-domain id=relaxing-the-same-origin-restriction:concept-origin-domain>domain</a> to allow pages on other subdomains of the same
    domain (if they do the same thing) to access each other. This enables pages on different hosts
    of a domain to synchronously access each other's DOMs.</p>

    <p>In sandboxed <code id=relaxing-the-same-origin-restriction:the-iframe-element><a href=iframe-embed-object.html#the-iframe-element>iframe</a></code>s, <code>Document</code>s with <a href=#concept-origin-opaque id=relaxing-the-same-origin-restriction:concept-origin-opaque>opaque origins</a>, and <code>Document</code>s without a <a href=document-sequences.html#concept-document-bc id=relaxing-the-same-origin-restriction:concept-document-bc>browsing context</a>, the setter will
    throw a <a id=relaxing-the-same-origin-restriction:securityerror href=https://webidl.spec.whatwg.org/#securityerror data-x-internal=securityerror>"<code>SecurityError</code>"</a> exception. In cases where <code id=relaxing-the-same-origin-restriction:dom-crossoriginisolated><a href=webappapis.html#dom-crossoriginisolated>crossOriginIsolated</a></code> or <code id=relaxing-the-same-origin-restriction:dom-originagentcluster><a href=#dom-originagentcluster>originAgentCluster</a></code> return true, the setter will do
    nothing.</p>
   </dl>

  <div class=critical>
   <p>Avoid using the <code id=relaxing-the-same-origin-restriction:dom-document-domain><a href=#dom-document-domain>document.domain</a></code> setter. It
   undermines the security protections provided by the same-origin policy. This is especially acute
   when using shared hosting; for example, if an untrusted third party is able to host an HTTP
   server at the same IP address but on a different port, then the same-origin protection that
   normally protects two different sites on the same host will fail, as the ports are ignored when
   comparing origins after the <code id=relaxing-the-same-origin-restriction:dom-document-domain-2><a href=#dom-document-domain>document.domain</a></code> setter has
   been used.</p>

   <p>Because of these security pitfalls, this feature is in the process of being removed from the
   web platform. (This is a long process that takes many years.)</p>

   <p>Instead, use <code>postMessage()</code> or
   <code>MessageChannel</code> objects to communicate across origins in a safe manner.</p>
  </div>

  


  <h4 id=origin-keyed-agent-clusters><span class=secno>7.1.2</span> <span id=origin-isolation></span>Origin-keyed agent clusters<a href=#origin-keyed-agent-clusters class=self-link></a></h4>

  <dl class=domintro><dt><code>window.<span id=dom-originagentcluster>originAgentCluster</span></code><dd>
    <p>Returns true if this <code>Window</code> belongs to an <a id=origin-keyed-agent-clusters:agent-cluster href=https://tc39.es/ecma262/#sec-agent-clusters data-x-internal=agent-cluster>agent cluster</a> which is
    <a href=#concept-origin id=origin-keyed-agent-clusters:concept-origin>origin</a>-<span>keyed</span>, in the manner described in
    this section.</p>
   </dl>

  <p>A <code>Document</code> delivered over a <span>secure context</span> can request that it be
  placed in an <a href=#concept-origin id=origin-keyed-agent-clusters:concept-origin-2>origin</a>-<span>keyed</span> <a id=origin-keyed-agent-clusters:agent-cluster-2 href=https://tc39.es/ecma262/#sec-agent-clusters data-x-internal=agent-cluster>agent
  cluster</a>, by using the `<dfn id=origin-agent-cluster data-dfn-type=http-header><code>Origin-Agent-Cluster</code></dfn>` HTTP
  response header. This header is a <a href=https://httpwg.org/specs/rfc8941.html id=origin-keyed-agent-clusters:http-structured-header data-x-internal=http-structured-header>structured header</a>
  whose value must be a <a href=https://httpwg.org/specs/rfc8941.html#boolean id=origin-keyed-agent-clusters:http-structured-header-boolean data-x-internal=http-structured-header-boolean>boolean</a>.
  <a href=references.html#refsSTRUCTURED-FIELDS>[STRUCTURED-FIELDS]</a></p>

  <p><span>Values</span>
  that are not the <a href=https://httpwg.org/specs/rfc8941.html#boolean id=origin-keyed-agent-clusters:http-structured-header-boolean-2 data-x-internal=http-structured-header-boolean>structured header boolean</a>
  true value (i.e., `<code>?1</code>`) will be ignored.</p>

  <p>The consequences of using this header are that attempting to <a href=#relaxing-the-same-origin-restriction>relax the same-origin
  restriction</a> using <code id=origin-keyed-agent-clusters:dom-document-domain><a href=#dom-document-domain>document.domain</a></code> will instead do
  nothing, and it will not be possible to send <code id=origin-keyed-agent-clusters:webassembly.module><a data-x-internal=webassembly.module href=https://webassembly.github.io/spec/js-api/#module>WebAssembly.Module</a></code> objects to
  cross-origin <code>Document</code>s (even if they are <a href=#same-site id=origin-keyed-agent-clusters:same-site>same site</a>). Behind the scenes,
  this isolation can allow user agents to allocate implementation-specific resources corresponding
  to <a href=https://tc39.es/ecma262/#sec-agent-clusters id=origin-keyed-agent-clusters:agent-cluster-3 data-x-internal=agent-cluster>agent clusters</a>, such as processes or threads, more
  efficiently.</p>

  <p>Note that within a <a id=origin-keyed-agent-clusters:browsing-context-group href=document-sequences.html#browsing-context-group>browsing context group</a>, the
  `<code id=origin-keyed-agent-clusters:origin-agent-cluster><a href=#origin-agent-cluster>Origin-Agent-Cluster</a></code>` header can never cause same-origin <code>Document</code>
  objects to end up in different <a href=https://tc39.es/ecma262/#sec-agent-clusters id=origin-keyed-agent-clusters:agent-cluster-4 data-x-internal=agent-cluster>agent clusters</a>, even if one
  sends the header and the other doesn't.</p>

  <p class=note>This means that the <code id=origin-keyed-agent-clusters:dom-originagentcluster><a href=#dom-originagentcluster>originAgentCluster</a></code> getter can return false, even if the
  header is set, if the header was omitted on a previously-loaded same-origin page in the same
  <a id=origin-keyed-agent-clusters:browsing-context-group-2 href=document-sequences.html#browsing-context-group>browsing context group</a>. Similarly, it can return true even when the header is not
  set.</p>

  

  <p class=note><code>Document</code>s with an <a href=#concept-origin-opaque id=origin-keyed-agent-clusters:concept-origin-opaque>opaque
  origin</a> can be considered unconditionally origin-keyed; for them the header has no effect,
  and the <code id=origin-keyed-agent-clusters:dom-originagentcluster-2><a href=#dom-originagentcluster>originAgentCluster</a></code> getter will always return
  true.</p>

  <p class=note>Similarly, <code>Document</code>s whose <a id=origin-keyed-agent-clusters:agent-cluster-5 href=https://tc39.es/ecma262/#sec-agent-clusters data-x-internal=agent-cluster>agent cluster</a>'s <span>cross-origin isolation mode</span> is not "<code id=origin-keyed-agent-clusters:cross-origin-isolation-none><a href=document-sequences.html#cross-origin-isolation-none>none</a></code>" are automatically origin-keyed. The
  `<code id=origin-keyed-agent-clusters:origin-agent-cluster-2><a href=#origin-agent-cluster>Origin-Agent-Cluster</a></code>` header might be useful as an additional hint to
  implementations about resource allocation, since the `<code id=origin-keyed-agent-clusters:cross-origin-opener-policy-2><a href=#cross-origin-opener-policy-2>Cross-Origin-Opener-Policy</a></code>`
  and `<code id=origin-keyed-agent-clusters:cross-origin-embedder-policy><a href=#cross-origin-embedder-policy>Cross-Origin-Embedder-Policy</a></code>` headers used to achieve cross-origin isolation
  are more about ensuring that everything in the same address space opts in to being there. But
  adding it would have no additional observable effects on author code.</p>


  <h4 id=cross-origin-opener-policies><span class=secno>7.1.3</span> Cross-origin opener policies<a href=#cross-origin-opener-policies class=self-link></a></h4>

  <p>An <dfn id=cross-origin-opener-policy-value>opener policy value</dfn> allows a document which
  is navigated to in a <a id=cross-origin-opener-policies:top-level-browsing-context href=document-sequences.html#top-level-browsing-context>top-level browsing context</a> to force the creation of a new
  <a id=cross-origin-opener-policies:top-level-browsing-context-2 href=document-sequences.html#top-level-browsing-context>top-level browsing context</a>, and a corresponding <a href=document-sequences.html#tlbc-group id=cross-origin-opener-policies:tlbc-group>group</a>. The possible values are:</p>

  <dl><dt>"<dfn id=coop-unsafe-none><code>unsafe-none</code></dfn>"<dd><p>This is the (current) default and means that the document will occupy the same
   <a id=cross-origin-opener-policies:top-level-browsing-context-3 href=document-sequences.html#top-level-browsing-context>top-level browsing context</a> as its predecessor, unless that document specified a
   different <span>opener policy</span>.<dt>"<dfn id=coop-same-origin-allow-popups><code>same-origin-allow-popups</code></dfn>"<dd><p>This forces the creation of a new <a id=cross-origin-opener-policies:top-level-browsing-context-4 href=document-sequences.html#top-level-browsing-context>top-level browsing context</a> for the
   document, unless its predecessor specified the same <span>opener policy</span> and they are
   <a href=#same-origin id=cross-origin-opener-policies:same-origin>same origin</a>.<dt>"<dfn id=coop-same-origin><code>same-origin</code></dfn>"<dd><p>This behaves the same as "<code id=cross-origin-opener-policies:coop-same-origin-allow-popups><a href=#coop-same-origin-allow-popups>same-origin-allow-popups</a></code>", with the addition that
   any <a id=cross-origin-opener-policies:auxiliary-browsing-context href=document-sequences.html#auxiliary-browsing-context>auxiliary browsing context</a> created needs to contain <a href=#same-origin id=cross-origin-opener-policies:same-origin-2>same origin</a>
   documents that also have the same <span>opener policy</span> or it will appear closed to the
   opener.<dt>"<dfn id=coop-same-origin-plus-coep><code>same-origin-plus-COEP</code></dfn>"<dd>
    <p>This behaves the same as "<code id=cross-origin-opener-policies:coop-same-origin><a href=#coop-same-origin>same-origin</a></code>", with the
    addition that it sets the (new) <a id=cross-origin-opener-policies:top-level-browsing-context-5 href=document-sequences.html#top-level-browsing-context>top-level browsing context</a>'s <a href=document-sequences.html#tlbc-group id=cross-origin-opener-policies:tlbc-group-2>group</a>'s <a href=document-sequences.html#bcg-cross-origin-isolation id=cross-origin-opener-policies:bcg-cross-origin-isolation>cross-origin isolation
    mode</a> to one of "<code id=cross-origin-opener-policies:cross-origin-isolation-logical><a href=document-sequences.html#cross-origin-isolation-logical>logical</a></code>" or "<code id=cross-origin-opener-policies:cross-origin-isolation-concrete><a href=document-sequences.html#cross-origin-isolation-concrete>concrete</a></code>".</p>

    <p class=note>"<code id=cross-origin-opener-policies:coop-same-origin-plus-coep><a href=#coop-same-origin-plus-coep>same-origin-plus-COEP</a></code>" cannot
    be directly set via the `<code id=cross-origin-opener-policies:cross-origin-opener-policy-2><a href=#cross-origin-opener-policy-2>Cross-Origin-Opener-Policy</a></code>` header, but results from a
    combination of setting both `<code><a href=#cross-origin-opener-policy-2 id=cross-origin-opener-policies:cross-origin-opener-policy-2-2>Cross-Origin-Opener-Policy</a>: <a href=#coop-same-origin id=cross-origin-opener-policies:coop-same-origin-2>same-origin</a></code>` and a
    `<code id=cross-origin-opener-policies:cross-origin-embedder-policy><a href=#cross-origin-embedder-policy>Cross-Origin-Embedder-Policy</a></code>` header whose value is <a href=#compatible-with-cross-origin-isolation id=cross-origin-opener-policies:compatible-with-cross-origin-isolation>compatible with
    cross-origin isolation</a> together.</p>
   <dt>"<dfn id=coop-noopener-allow-popups><code>noopener-allow-popups</code></dfn>"<dd>
    <p>This forces the creation of a new <a id=cross-origin-opener-policies:top-level-browsing-context-6 href=document-sequences.html#top-level-browsing-context>top-level browsing context</a> for the document,
    regardless of its predecessor.</p>

    <div class=note>
     <p>While including a <code id=cross-origin-opener-policies:coop-noopener-allow-popups><a href=#coop-noopener-allow-popups>noopener-allow-popups</a></code> value severs the opener
     relationship between the document on which it is applied and its opener, it does not create a
     robust security boundary between those same-origin documents.</p>

     <p>Other risks from same-origin applications include:</p>

     <ul><li><p>Same-origin requests fetching the document's content — could be mitigated through
      Fetch Metadata filtering. <a href=references.html#refsFETCHMETADATA>[FETCHMETADATA]</a><li><p>Same-origin framing - could be mitigated through <code id=cross-origin-opener-policies:x-frame-options><a href=speculative-loading.html#x-frame-options>X-Frame-Options</a></code> or CSP
      <code id=cross-origin-opener-policies:frame-ancestors-directive><a data-x-internal=frame-ancestors-directive href=https://w3c.github.io/webappsec-csp/#frame-ancestors>frame-ancestors</a></code>.<li><p>JavaScript accessible cookies - can be mitigated by ensuring all cookies are <code>httponly</code>.<li><p><code id=cross-origin-opener-policies:dom-localstorage><a href=webstorage.html#dom-localstorage>localStorage</a></code> access to sensitive data.<li><p>Service worker installation.<li><p><a href=https://w3c.github.io/ServiceWorker/#cache>Cache API</a> manipulation or
      access to sensitive data. <a href=references.html#refsSW>[SW]</a><li><p><code>postMessage</code> or <code>BroadcastChannel</code> messaging that
      exposes sensitive information.<li><p>Autofill which may not require user interaction for same-origin documents.</ul>

     <p>Developers using <code id=cross-origin-opener-policies:coop-noopener-allow-popups-2><a href=#coop-noopener-allow-popups>noopener-allow-popups</a></code>
     need to make sure that their sensitive applications don't rely on client-side features
     accessible to other same-origin documents, e.g., <code id=cross-origin-opener-policies:dom-localstorage-2><a href=webstorage.html#dom-localstorage>localStorage</a></code> and other client-side storage APIs,
     <code>BroadcastChannel</code> and related same-origin communication mechanisms. They also need
     to make sure that their server-side endpoints don't return sensitive data to non-navigation
     requests, whose response content is accessible to same-origin
     documents.</p>
    </div>
   </dl>

  


  <h5 id=the-coop-headers><span class=secno>7.1.3.1</span> The headers<a href=#the-coop-headers class=self-link></a></h5><div class="mdn-anno wrapped"><button onclick=toggleStatus(this) class=mdn-anno-btn><b title="Support in all current engines." class=all-engines-flag>✔</b><span>MDN</span></button><div class=feature><p><a href=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy title="The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.">Headers/Cross-Origin-Opener-Policy</a><p class=all-engines-text>Support in all current engines.<div class=support><span class="firefox yes"><span>Firefox</span><span>79+</span></span><span class="safari yes"><span>Safari</span><span>15.2+</span></span><span class="chrome yes"><span>Chrome</span><span>83+</span></span><hr><span class="opera no"><span>Opera</span><span>No</span></span><span class="edge_blink yes"><span>Edge</span><span>83+</span></span><hr><span class="edge unknown"><span>Edge (Legacy)</span><span>?</span></span><span class="ie no"><span>Internet Explorer</span><span>No</span></span><hr><span class="firefox_android unknown"><span>Firefox Android</span><span>?</span></span><span class="safari_ios unknown"><span>Safari iOS</span><span>?</span></span><span class="chrome_android unknown"><span>Chrome Android</span><span>?</span></span><span class="webview_android no"><span>WebView Android</span><span>No</span></span><span class="samsunginternet_android unknown"><span>Samsung Internet</span><span>?</span></span><span class="opera_android no"><span>Opera Android</span><span>No</span></span></div></div></div>

  <p>A <code>Document</code>'s <a href=dom.html#concept-document-coop id=the-coop-headers:concept-document-coop>cross-origin opener
  policy</a> is derived from the `<dfn id=cross-origin-opener-policy-2 data-dfn-type=http-header><code>Cross-Origin-Opener-Policy</code></dfn>` and `<dfn id=cross-origin-opener-policy-report-only data-dfn-type=http-header><code>Cross-Origin-Opener-Policy-Report-Only</code></dfn>` HTTP response headers.
  These headers are <a href=https://httpwg.org/specs/rfc8941.html id=the-coop-headers:http-structured-header data-x-internal=http-structured-header>structured headers</a> whose value must
  be a <a href=https://httpwg.org/specs/rfc8941.html#token id=the-coop-headers:http-structured-header-token data-x-internal=http-structured-header-token>token</a>. <a href=references.html#refsSTRUCTURED-FIELDS>[STRUCTURED-FIELDS]</a></p>

  <p>The valid <a href=https://httpwg.org/specs/rfc8941.html#token id=the-coop-headers:http-structured-header-token-2 data-x-internal=http-structured-header-token>token</a> values are the <a href=#cross-origin-opener-policy-value id=the-coop-headers:cross-origin-opener-policy-value>opener policy values</a>. The token may also have
  attached <a href=https://httpwg.org/specs/rfc8941.html#param id=the-coop-headers:http-structured-header-parameters data-x-internal=http-structured-header-parameters>parameters</a>; of these, the "<dfn id=coop-report-to><code>report-to</code></dfn>" parameter can have a <a id=the-coop-headers:valid-url-string href=https://url.spec.whatwg.org/#valid-url-string data-x-internal=valid-url-string>valid URL
  string</a> identifying an appropriate reporting endpoint. <a href=references.html#refsREPORTING>[REPORTING]</a></p>

  <p class=note><span>User</span> agents will ignore this header if it contains an invalid value. Likewise, user
  agents will ignore this header if the value cannot be parsed as a <a href=https://httpwg.org/specs/rfc8941.html#token id=the-coop-headers:http-structured-header-token-3 data-x-internal=http-structured-header-token>token</a>.</p>

  


  <h4 id=coep><span class=secno>7.1.4</span> Cross-origin embedder policies<a href=#coep class=self-link></a></h4><div class="mdn-anno wrapped"><button onclick=toggleStatus(this) class=mdn-anno-btn><b title="Support in all current engines." class=all-engines-flag>✔</b><span>MDN</span></button><div class=feature><p><a href=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy title="The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures embedding cross-origin resources into the document.">Headers/Cross-Origin-Embedder-Policy</a><p class=all-engines-text>Support in all current engines.<div class=support><span class="firefox yes"><span>Firefox</span><span>79+</span></span><span class="safari yes"><span>Safari</span><span>15.2+</span></span><span class="chrome yes"><span>Chrome</span><span>83+</span></span><hr><span class="opera unknown"><span>Opera</span><span>?</span></span><span class="edge_blink yes"><span>Edge</span><span>83+</span></span><hr><span class="edge unknown"><span>Edge (Legacy)</span><span>?</span></span><span class="ie no"><span>Internet Explorer</span><span>No</span></span><hr><span class="firefox_android unknown"><span>Firefox Android</span><span>?</span></span><span class="safari_ios unknown"><span>Safari iOS</span><span>?</span></span><span class="chrome_android unknown"><span>Chrome Android</span><span>?</span></span><span class="webview_android yes"><span>WebView Android</span><span>86+</span></span><span class="samsunginternet_android unknown"><span>Samsung Internet</span><span>?</span></span><span class="opera_android unknown"><span>Opera Android</span><span>?</span></span></div></div></div>

  <p>An <dfn id=embedder-policy-value data-export="">embedder policy value</dfn> is one of three strings that controls the fetching
  of cross-origin resources without explicit permission from resource owners.</p>

  <dl><dt>"<dfn data-dfn-for="embedder policy value" id=coep-unsafe-none data-export=""><code>unsafe-none</code></dfn>"<dd><p>This is the default value. When this value is used, cross-origin resources can be fetched
   without giving explicit permission through the <a id=coep:cors-protocol href=https://fetch.spec.whatwg.org/#http-cors-protocol data-x-internal=cors-protocol>CORS protocol</a> or the
   `<code id=coep:cross-origin-resource-policy><a data-x-internal=cross-origin-resource-policy href=https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy>Cross-Origin-Resource-Policy</a></code>` header.<dt>"<dfn data-dfn-for="embedder policy value" id=coep-require-corp data-export=""><code>require-corp</code></dfn>"<dd><p>When this value is used, fetching cross-origin resources requires the server's
   explicit permission through the <a id=coep:cors-protocol-2 href=https://fetch.spec.whatwg.org/#http-cors-protocol data-x-internal=cors-protocol>CORS protocol</a> or the
   `<code id=coep:cross-origin-resource-policy-2><a data-x-internal=cross-origin-resource-policy href=https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy>Cross-Origin-Resource-Policy</a></code>` header.<dt>"<dfn data-dfn-for="embedder policy value" id=coep-credentialless data-export=""><code>credentialless</code></dfn>"<dd><p>When this value is used, fetching cross-origin no-CORS resources omits credentials. In
   exchange, an explicit `<code id=coep:cross-origin-resource-policy-3><a data-x-internal=cross-origin-resource-policy href=https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy>Cross-Origin-Resource-Policy</a></code>` header is not required. Other
   requests sent with credentials require the server's explicit permission through the <a id=coep:cors-protocol-3 href=https://fetch.spec.whatwg.org/#http-cors-protocol data-x-internal=cors-protocol>CORS
   protocol</a> or the `<code id=coep:cross-origin-resource-policy-4><a data-x-internal=cross-origin-resource-policy href=https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy>Cross-Origin-Resource-Policy</a></code>` header.</dl>

  <div class=warning>
   <p>Before supporting "<code id=coep:coep-credentialless><a href=#coep-credentialless>credentialless</a></code>", implementers are
   strongly encouraged to support both:

   <ul class=brief><li><a href=https://wicg.github.io/private-network-access/>Private Network Access</a><li><a href=https://github.com/annevk/orb>Opaque Response Blocking</a></ul>

   <p>Otherwise, it would allow attackers to leverage the client's network position to read non
   public resources, using the <span>cross-origin isolated
   capability</span>.</p>
  </div>

  <p>An <a href=#embedder-policy-value id=coep:embedder-policy-value>embedder policy value</a> is <dfn id=compatible-with-cross-origin-isolation>compatible with cross-origin isolation</dfn> if
  it is "<code id=coep:coep-credentialless-2><a href=#coep-credentialless>credentialless</a></code>" or "<code id=coep:coep-require-corp><a href=#coep-require-corp>require-corp</a></code>".</p>

  


  <h5 id=the-coep-headers><span class=secno>7.1.4.1</span> The headers<a href=#the-coep-headers class=self-link></a></h5>

  <p>The `<dfn id=cross-origin-embedder-policy data-dfn-type=http-header><code>Cross-Origin-Embedder-Policy</code></dfn>` and
  `<dfn id=cross-origin-embedder-policy-report-only data-dfn-type=http-header><code>Cross-Origin-Embedder-Policy-Report-Only</code></dfn>` HTTP response
  headers allow a server to declare an <span>embedder policy</span> for an <span>environment
  settings object</span>. These headers are <a href=https://httpwg.org/specs/rfc8941.html id=the-coep-headers:http-structured-header data-x-internal=http-structured-header>structured
  headers</a> whose values must be <a href=https://httpwg.org/specs/rfc8941.html#token id=the-coep-headers:http-structured-header-token data-x-internal=http-structured-header-token>token</a>.
  <a href=references.html#refsSTRUCTURED-FIELDS>[STRUCTURED-FIELDS]</a>

  <p>The valid <a href=https://httpwg.org/specs/rfc8941.html#token id=the-coep-headers:http-structured-header-token-2 data-x-internal=http-structured-header-token>token</a> values are the <a href=#embedder-policy-value id=the-coep-headers:embedder-policy-value>embedder policy values</a>. The token may also have attached <a href=https://httpwg.org/specs/rfc8941.html#param id=the-coep-headers:http-structured-header-parameters data-x-internal=http-structured-header-parameters>parameters</a>; of these, the "<dfn id=coep-report-to><code>report-to</code></dfn>" parameter can have a <a id=the-coep-headers:valid-url-string href=https://url.spec.whatwg.org/#valid-url-string data-x-internal=valid-url-string>valid URL
  string</a> identifying an appropriate reporting endpoint. <a href=references.html#refsREPORTING>[REPORTING]</a></p>

  <div class=note>
   <p>The <span>processing model</span> fails open (by defaulting
   to "<code id=the-coep-headers:coep-unsafe-none><a href=#coep-unsafe-none>unsafe-none</a></code>") in the presence of a header that cannot
   be parsed as a token. This includes inadvertent lists created by combining multiple instances of
   the `<code id=the-coep-headers:cross-origin-embedder-policy><a href=#cross-origin-embedder-policy>Cross-Origin-Embedder-Policy</a></code>` header present in a given response:</p>

   <table class=data><thead><tr><th>`<code id=the-coep-headers:cross-origin-embedder-policy-2><a href=#cross-origin-embedder-policy>Cross-Origin-Embedder-Policy</a></code>`<th>Final <a href=#embedder-policy-value id=the-coep-headers:embedder-policy-value-2>embedder policy value</a><tbody><tr><td><em>No header delivered</em><td>"<code id=the-coep-headers:coep-unsafe-none-2><a href=#coep-unsafe-none>unsafe-none</a></code>"<tr><td>`<code>require-corp</code>`<td>"<code id=the-coep-headers:coep-require-corp><a href=#coep-require-corp>require-corp</a></code>"<tr><td>`<code>unknown-value</code>`<td>"<code id=the-coep-headers:coep-unsafe-none-3><a href=#coep-unsafe-none>unsafe-none</a></code>"<tr><td>`<code>require-corp, unknown-value</code>`<td>"<code id=the-coep-headers:coep-unsafe-none-4><a href=#coep-unsafe-none>unsafe-none</a></code>"<tr><td>`<code>unknown-value, unknown-value</code>`<td>"<code id=the-coep-headers:coep-unsafe-none-5><a href=#coep-unsafe-none>unsafe-none</a></code>"<tr><td>`<code>unknown-value, require-corp</code>`<td>"<code id=the-coep-headers:coep-unsafe-none-6><a href=#coep-unsafe-none>unsafe-none</a></code>"<tr><td>`<code>require-corp, require-corp</code>`<td>"<code id=the-coep-headers:coep-unsafe-none-7><a href=#coep-unsafe-none>unsafe-none</a></code>"</table>

   <p>(The same applies to `<code id=the-coep-headers:cross-origin-embedder-policy-report-only><a href=#cross-origin-embedder-policy-report-only>Cross-Origin-Embedder-Policy-Report-Only</a></code>`.)</p>
  </div>

  


  <h4 id=sandboxing><span class=secno>7.1.5</span> Sandboxing<a href=#sandboxing class=self-link></a></h4>

  <p>A <dfn id=sandboxing-flag-set data-export="">sandboxing flag set</dfn> is a set of zero or more of the following flags, which
  are used to restrict the abilities that potentially untrusted resources have:</p>

  <dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag data-export="">sandboxed navigation browsing context flag</dfn><dd>
    <p>This flag <a href=browsing-the-web.html#sandboxLinks>prevents content from navigating browsing contexts other
    than the sandboxed browsing context itself</a> (or browsing contexts further nested inside it),
    <a href=document-sequences.html#auxiliary-browsing-context id=sandboxing:auxiliary-browsing-context>auxiliary browsing contexts</a> (which are protected
    by the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag id=sandboxing:sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> defined next), and the
    <a id=sandboxing:top-level-browsing-context href=document-sequences.html#top-level-browsing-context>top-level browsing context</a> (which is protected by the <a href=#sandboxed-top-level-navigation-without-user-activation-browsing-context-flag id=sandboxing:sandboxed-top-level-navigation-without-user-activation-browsing-context-flag>sandboxed top-level
    navigation without user activation browsing context flag</a> and <a href=#sandboxed-top-level-navigation-with-user-activation-browsing-context-flag id=sandboxing:sandboxed-top-level-navigation-with-user-activation-browsing-context-flag>sandboxed top-level
    navigation with user activation browsing context flag</a> defined below).</p>

    <p>If the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag id=sandboxing:sandboxed-auxiliary-navigation-browsing-context-flag-2>sandboxed auxiliary navigation browsing context flag</a> is not set, then in
    certain cases the restrictions nonetheless allow popups (new <a href=document-sequences.html#top-level-browsing-context id=sandboxing:top-level-browsing-context-2>top-level browsing contexts</a>) to be opened. These <a href=document-sequences.html#browsing-context id=sandboxing:browsing-context>browsing contexts</a> always have <dfn id=one-permitted-sandboxed-navigator>one permitted sandboxed navigator</dfn>, set
    when the browsing context is created, which allows the <a id=sandboxing:browsing-context-2 href=document-sequences.html#browsing-context>browsing context</a> that
    created them to actually navigate them. (Otherwise, the <a href=#sandboxed-navigation-browsing-context-flag id=sandboxing:sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing
    context flag</a> would prevent them from being navigated even if they were opened.)</p>
   <dt>The <dfn id=sandboxed-auxiliary-navigation-browsing-context-flag data-export="">sandboxed auxiliary navigation browsing context flag</dfn><dd>
    <p>This flag <a href=document-sequences.html#sandboxWindowOpen>prevents content from creating new auxiliary browsing
    contexts</a>, e.g. using the <code id=sandboxing:attr-hyperlink-target><a href=links.html#attr-hyperlink-target>target</a></code> attribute or
    the <code id=sandboxing:dom-open><a href=nav-history-apis.html#dom-open>window.open()</a></code> method.</p>
   <dt>The <dfn id=sandboxed-top-level-navigation-without-user-activation-browsing-context-flag data-export="">sandboxed top-level navigation without user activation browsing
   context flag</dfn><dd>
    <p>This flag <a href=browsing-the-web.html#sandboxLinks>prevents content from navigating their <span>top-level
    browsing context</span></a> and <a href=#sandboxClose>prevents content from closing their
    <span>top-level browsing context</span></a>. It is consulted only when the sandboxed browsing
    context's <a id=sandboxing:active-window href=document-sequences.html#active-window>active window</a> does not have <span>transient activation</span>.</p>

    <p>When the <a href=#sandboxed-top-level-navigation-without-user-activation-browsing-context-flag id=sandboxing:sandboxed-top-level-navigation-without-user-activation-browsing-context-flag-2>sandboxed top-level navigation without user activation browsing context
    flag</a> is <em>not</em> set, content can navigate its <a id=sandboxing:top-level-browsing-context-3 href=document-sequences.html#top-level-browsing-context>top-level browsing
    context</a>, but other <a href=document-sequences.html#browsing-context id=sandboxing:browsing-context-3>browsing contexts</a> are still
    protected by the <a href=#sandboxed-navigation-browsing-context-flag id=sandboxing:sandboxed-navigation-browsing-context-flag-2>sandboxed navigation browsing context flag</a> and possibly
    the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag id=sandboxing:sandboxed-auxiliary-navigation-browsing-context-flag-3>sandboxed auxiliary navigation browsing context flag</a>.</p>
   <dt>The <dfn id=sandboxed-top-level-navigation-with-user-activation-browsing-context-flag data-export="">sandboxed top-level navigation with user activation browsing context
   flag</dfn><dd>
    <p>This flag <a href=browsing-the-web.html#sandboxLinks>prevents content from navigating their <span>top-level
    browsing context</span></a> and <a href=#sandboxClose>prevents content from closing their
    <span>top-level browsing context</span></a>. It is consulted only when the sandboxed browsing
    context's <a id=sandboxing:active-window-2 href=document-sequences.html#active-window>active window</a> has <span>transient activation</span>.</p>

    <p>As with the <a href=#sandboxed-top-level-navigation-without-user-activation-browsing-context-flag id=sandboxing:sandboxed-top-level-navigation-without-user-activation-browsing-context-flag-3>sandboxed top-level navigation without user activation browsing context
    flag</a>, this flag only affects the <a id=sandboxing:top-level-browsing-context-4 href=document-sequences.html#top-level-browsing-context>top-level browsing context</a>; if it is not
    set, other <a href=document-sequences.html#browsing-context id=sandboxing:browsing-context-4>browsing contexts</a> might still be protected by
    other flags.</p>
   <dt>The <dfn id=sandboxed-origin-browsing-context-flag data-export="">sandboxed origin browsing context flag</dfn><dd>
    <p>This flag <a href=document-sequences.html#sandboxOrigin>forces content into an opaque origin</a>, thus preventing
    it from accessing other content from the same <a href=#concept-origin id=sandboxing:concept-origin>origin</a>.</p>

    <p>This flag also <a href=#sandboxCookies>prevents script from reading from or writing to the
    <code>document.cookie</code> IDL attribute</a>, and blocks access
    to <code id=sandboxing:dom-localstorage><a href=webstorage.html#dom-localstorage>localStorage</a></code>.</p>
   <dt>The <dfn id=sandboxed-forms-browsing-context-flag data-export="">sandboxed forms browsing context flag</dfn><dd>
    <p>This flag <a href=#sandboxSubmitBlocked>blocks form submission</a>.</p>
   <dt>The <dfn id=sandboxed-pointer-lock-browsing-context-flag data-export="">sandboxed pointer lock browsing context flag</dfn><dd>
    <p>This flag disables the Pointer Lock API. <a href=references.html#refsPOINTERLOCK>[POINTERLOCK]</a></p>
   <dt>The <dfn id=sandboxed-scripts-browsing-context-flag data-export="">sandboxed scripts browsing context flag</dfn><dd>
    <p>This flag <a href=#sandboxScriptBlocked>blocks script execution</a>.</p>
   <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag data-export="">sandboxed automatic features browsing context flag</dfn><dd>
    <p>This flag blocks features that trigger automatically, such as <a href=media.html#attr-media-autoplay id=sandboxing:attr-media-autoplay>automatically playing a video</a> or <a href=interaction.html#attr-fe-autofocus id=sandboxing:attr-fe-autofocus>automatically focusing a form control</a>.</p>
   <dt>The <dfn id=sandboxed-document.domain-browsing-context-flag data-export="">sandboxed <code>document.domain</code>
   browsing context flag</dfn><dd>
    <p>This flag prevents content from using the
    <code id=sandboxing:dom-document-domain><a href=#dom-document-domain>document.domain</a></code> setter.</p>
   <dt>The <dfn id=sandbox-propagates-to-auxiliary-browsing-contexts-flag data-export="">sandbox propagates to auxiliary browsing contexts flag</dfn><dd>
    <p>This flag prevents content from escaping the sandbox by ensuring that any
    <a id=sandboxing:auxiliary-browsing-context-2 href=document-sequences.html#auxiliary-browsing-context>auxiliary browsing context</a> it creates inherits the content's
    <span>active sandboxing flag set</span>.</p>
   <dt>The <dfn id=sandboxed-modals-flag data-export="">sandboxed modals flag</dfn><dd>
    <p>This flag prevents content from using any of the following features to produce modal
    dialogs:</p>

    <ul><li><code id=sandboxing:dom-alert><a href=timers-and-user-prompts.html#dom-alert>window.alert()</a></code><li><code id=sandboxing:dom-confirm><a href=timers-and-user-prompts.html#dom-confirm>window.confirm()</a></code><li><code id=sandboxing:dom-print><a href=timers-and-user-prompts.html#dom-print>window.print()</a></code><li><code id=sandboxing:dom-prompt><a href=timers-and-user-prompts.html#dom-prompt>window.prompt()</a></code><li>the <code id=sandboxing:event-beforeunload><a href=indices.html#event-beforeunload>beforeunload</a></code> event</ul>
   <dt>The <dfn id=sandboxed-orientation-lock-browsing-context-flag data-export="">sandboxed orientation lock browsing context flag</dfn><dd>
    <p>This flag disables the ability to lock the screen orientation.
    <a href=references.html#refsSCREENORIENTATION>[SCREENORIENTATION]</a></p>
   <dt>The <dfn id=sandboxed-presentation-browsing-context-flag data-export="">sandboxed presentation browsing context flag</dfn><dd>
    <p>This flag disables the Presentation API. <a href=references.html#refsPRESENTATION>[PRESENTATION]</a></p>
   <dt>The <dfn id=sandboxed-downloads-browsing-context-flag data-export="">sandboxed downloads browsing context flag</dfn><dd>
    <p>This flag prevents content from initiating or instantiating downloads, whether through <span>downloading hyperlinks</span> or through <a href=browsing-the-web.html#navigation-as-a-download>navigation</a> that gets <span>handled as a download</span>.</p>
   <dt>The <dfn id=sandboxed-custom-protocols-navigation-browsing-context-flag data-export="">sandboxed custom protocols navigation browsing context flag</dfn><dd>
    <p>This flag prevents navigations toward non <a href=https://fetch.spec.whatwg.org/#fetch-scheme id=sandboxing:fetch-scheme data-x-internal=fetch-scheme>fetch schemes</a>
    from being <a href=browsing-the-web.html#hand-off-to-external-software id=sandboxing:hand-off-to-external-software>handed off to external
    software</a>.</p>
   </dl>

  


  <nav><a href=popover.html>← 6.12 The popover attribute</a> — <a href=index.html>Table of Contents</a> — <a href=nav-history-apis.html>7.2 APIs related to navigation and
  session history →</a></nav>
